Lohrman on Security
NOVEMBER 28, 2021
The world seems focused on new developments in artificial intelligence to help with a wide range of problems, including staffing shortages. But will AI help or harm security teams?
Krebs on Security
OCTOBER 31, 2021
Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Lohrman on Security
DECEMBER 23, 2021
What will the New Year bring in cyber space? Here’s your annual roundup of the top security industry forecasts, trends and cybersecurity prediction reports for calendar year 2022.
Krebs on Security
NOVEMBER 13, 2021
The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Daniel Miessler
DECEMBER 18, 2021
If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service. I have some good news. I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know. Once you have 2.15 applied—or the CLI implementation to disable lookups—you actually need a non-default log4j2.properties configuration to still be vulnerable!
Schneier on Security
AUGUST 18, 2021
Apple’s NeuralHash algorithm — the one it’s using for client-side scanning on the iPhone — has been reverse-engineered. Turns out it was already in iOS 14.3, and someone noticed : Early tests show that it can tolerate image resizing and compression, but not cropping or rotations. We also have the first collision : two images that hash to the same value.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Bleeping Computer
DECEMBER 29, 2021
T-Mobile confirmed that recent reports of a new data breach are linked to notifications sent to a "very small number of customers" that they fell victim to SIM swap attacks. [.].
Graham Cluley
OCTOBER 21, 2021
The US Government has issued an alert to organisations about the threat posed by the BlackMatter ransomware group. Read more in my article on the Tripwire State of Security blog.
Security Affairs
DECEMBER 18, 2021
Multiple flaws in the Log4J library are scaring organizations worldwide while threat actors are already exploiting them. 2.17 is the third fix issued in a week. While the experts were warning that threat actors are actively attempting to exploit a second vulnerability, tracked as CVE-2021-45046 , disclosed in the Log4j library a third security vulnerability made the headlines.
CSO Magazine
DECEMBER 13, 2021
A penetration tester, sometimes called an ethical hacker, is a security pro who launches simulated attacks against a client's network or systems in order to seek out vulnerabilities. Their goal is to demonstrate where and how a malicious attacker might exploit the target network, which allows their clients to mitigate any weaknesses before a real attack occurs.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
We Live Security
DECEMBER 30, 2021
As we usher in the New Year, let’s take a look at some statistics that will help you stay up-to-date on recent cybersecurity trends. The post 22 cybersecurity statistics to know for 2022 appeared first on WeLiveSecurity.
Security Boulevard
DECEMBER 1, 2021
The Finnish National Cyber Security Centre (NCSC-FI) has issued a warning to citizens about the current version of the FluBot malware campaign which is affecting “tens of thousands of people in Finland.” The malware campaign leverages SMS by sending out numerous text messages, according to NCSC-FI. The messages, all of which are written in Finnish, The post Finland Fending Off FluBot Malware, Again appeared first on Security Boulevard.
Google Security
DECEMBER 17, 2021
Posted by James Wetter and Nicky Ringland, Open Source Insights Team More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities ( 1 , 2 ), with widespread fallout across the software industry. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j.
InfoWorld on Security
DECEMBER 10, 2021
Yesterday the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a ubiquitous logging tool included in almost every Java application. The issue has been named Log4Shell and received the identifier CVE-2021-44228. The problem revolves around a bug in the Log4j library that can allow an attacker to execute arbitrary code on a system that is using Log4j to write out log messages.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Daniel Miessler
SEPTEMBER 12, 2021
This post will talk about my initial thoughts on The OWASP Top 10 release for 2021. Let me start by saying that I have respect for the people working on this project, and that as a project maintainer myself, I know how impossibly hard this is. Right, so with that out of the way, here’s what struck me with this list, along with some comments on building lists like this in general.
Schneier on Security
AUGUST 6, 2021
Fascinating research: “ Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.” Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information.
Tech Republic Security
OCTOBER 18, 2021
CIOs must prioritize the same business imperatives and find the IT force multipliers to enable growth and innovation, according to a Gartner analyst during Gartner's IT Symposium.
Bleeping Computer
AUGUST 4, 2021
The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts. [.].
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Graham Cluley
NOVEMBER 25, 2021
Security researchers are warning biomanufacturing facilities around the world that they are being targeted by a sophisticated new strain of malware, known as Tardigrade. Read more in my article on the Tripwire State of Security blog.
Security Affairs
DECEMBER 14, 2021
Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines. Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell vulnerability ( CVE-2021-44228 ) to deliver the new Khonsari ransomware on Windows machines. Experts warn that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines.
CSO Magazine
DECEMBER 16, 2021
The COVID-19 pandemic forced companies to scramble to accommodate employees suddenly working from home. This required a move to cloud-based infrastructures, mobile applications and good collaboration and conferencing tools. The shift was massive for most firms. According to Statista , only 17% of workers in the United States telecommuted even a little prior to the pandemic.
We Live Security
DECEMBER 1, 2021
ESET researchers studied all the malicious frameworks ever reported publicly that have been used to attack air-gapped networks and are releasing a side-by-side comparison of their most important TTPs. The post Jumping the air gap: 15 years of nation‑state effort appeared first on WeLiveSecurity.
Speaker: Erika R. Bales, Esq.
When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.
Security Boulevard
DECEMBER 2, 2021
Retail is known to experience a spike in cybercrime around the holidays. With millions of shoppers conducting business online, the threat landscape usually increases with this jolt in traffic. However, this year, it's not only Retail that should be concerned — research by CORO finds that all mid-market businesses are 490% more likely to experience.
The Hacker News
DECEMBER 21, 2021
Even with the growing awareness about cybersecurity, many myths about it are prevalent. These misconceptions can be a barrier to effective security. The first step to ensure the security of your business is to separate the false information, myths, and rumors from the truth. Here, we're busting some common cybersecurity myths. Read on to find out which of the following you thought were true.
IT Security Guru
NOVEMBER 11, 2021
What keeps OT security specialists up at night? It’s mostly problems from the IT world, says Andy Norton, European Cyber Risk Officer at Armis. Operational technology (OT) used to be the specialist networks nobody in IT bothered with, or perhaps thought they didn’t need to. For a while, that seemed reasonable; OT networks were usually isolated from IT operations, sat behind air gaps, and ran on obscure operating systems.
Appknox
OCTOBER 13, 2021
SSL Pinning is a technique that we use on the client-side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime.
Speaker: William Hord, Vice President of ERM Services
A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.
Acunetix
DECEMBER 9, 2021
In the latest release of Acunetix, we added support for the HTTP/2 protocol and introduced several checks specific to the vulnerabilities associated with this protocol. For example, we introduced checks for misrouting, server-side request forgery (SSRF), and web cache poisoning. In this article, we’d like. Read more. The post How Acunetix addresses HTTP/2 vulnerabilities appeared first on Acunetix.
Tech Republic Security
NOVEMBER 19, 2021
Advanced threats constantly evolve. This year saw multiple examples of advanced persistent threats under the spotlight, allowing us to predict what threats might lead the future.
Bleeping Computer
DECEMBER 10, 2021
Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites. [.].
Webroot
OCTOBER 13, 2021
Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends. And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.
Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster
So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.
Expert insights. Personalized for you.
362 
Let's personalize your content